Security researchers have discovered a new campaign from threat actors attempting to steal credentials and financial information from victims. The latest attack appears on Facebook and uses misspelled versions of brand names to trick people into giving up their information, InfoSecurity Magazine reported.

The attack was first spotted by Tim Helming, the product management director at domain registry and research website DomainTools. Helming noticed a number of targeted advertisements appearing on the social network that weren’t what they purported to be.

The product management director first got suspicious of the scheme when he saw an advertisement offering two free tickets from the British airline easyJet—a giveaway supposedly tied to the company’s 22nd anniversary.

STRUCTURE SECURITY -- USE THIS ONE Newsweek is hosting a Structure Security Event in San Francisco, Sept. 26-27. Photo: Newsweek Media Group

The ad appeared legitimate and the average user would likely trust it to take them to the company’s website. Instead, it directs to a site that asks the user to fill out a number of forms that includes personal and financial information.

However, the domain the user is directed to doesn’t belong to the company—nor was the advertisement posted on Facebook actually from the airline. It’s all part of a typosquatting campaign, in which the attackers use typos in a familiar brand’s name to trick people into believing they are looking at a legitimate and reputable site.

The campaign has already been spotted using more than 100 brands in Facebook ads in an attempt to get users to click and be transferred to a site where attackers can harvest their valuable information from them.

In some cases, Helming warned, the sites don’t just ask for the user to enter information but will ask them to connect their Facebook profile or other social media account to the site. Doing so could result in those accounts being compromised.

As for what the threat actors posting the ads do with the information they harvest, it all depends. Stolen credentials can be bundled and flipped on dark web marketplaces, or immediately used to try to crack other accounts associated with the victim. If a user gives out financial information, they can expect their account will receive some fraudulent activity on it shortly after visiting the site.

This particular attack is new to Facebook, but the strategy of typosquatting is not new to the actors behind it. According to Helming, the same attackers posting the Facebook ads also host a network of more than 110 website domains designed to look like legitimate sites of well known brands.

Like any typo-based attack, a keen eye can spot the issue with an ad or domain and avoid the attempt at stealing information.

Hovering over a URL will also help users figure out of it is real or not. The attackers will often use a URL that has “com” in the name so it appears as though it’s a familiar site with the .com extension. A closer look at the site may reveal the apparent “.com” is just part of the domain name itself and the site uses another extension less likely to be legitimate.

Helming warned future versions of such attacks can be weaponized even further than the passive credential and information harvesting they are currently used for. For example, an attacker could use the site to drop malware or ransomware on the visitor through a disguised download.